Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
LTX-2.3 Video API
v1.0.0Generate videos via LTX-2.3 API (ltx.video). Supports text-to-video, image-to-video, audio-to-video (lip-sync from audio + image), extend, and retake. Use wh...
⭐ 0· 272·3 current·4 all-time
byPaul de Lavallaz@pauldelavallaz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name, description, and SKILL.md all consistently describe a video-generation integration with https://api.ltx.video/v1 and appropriate endpoints (text-to-video, image-to-video, audio-to-video, extend, retake). That capability aligns with the documented curl and Python examples. However, the metadata does not declare the primary credential (LTX_API_KEY) used throughout the examples, nor does it list common required binaries (curl, python3, ffmpeg) mentioned in the docs — an inconsistency between capability and declared requirements.
Instruction Scope
The runtime instructions tell the agent to send media and prompts to the third‑party LTX API and to upload local media to a public file host (uguu.se) via curl. They reference environment variables (LTX_API_KEY) and tools (curl, python3, ffmpeg) that are not declared in metadata. Uploading local media to a public host is expected for this workflow but is a privacy-sensitive operation and should be explicit in the skill manifest. The instructions do not request arbitrary system files, but they do direct reading and uploading of local media files — which is reasonable for the feature but must be disclosed.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes on-disk code risk. There is no downloader or extract step in the manifest.
Credentials
The SKILL.md examples consistently use an Authorization header with a Bearer token (LTX_API_KEY), but the skill metadata lists no required environment variables or primary credential. Requiring an API key for an external service is expected, so the omission from the manifest is a coherence/visibility problem. Additionally, the instructions instruct uploading user media to a third-party host (uguu.se) — this is functionally necessary but privacy‑sensitive and should be called out in the metadata/consent flow.
Persistence & Privilege
always is false and the skill is user-invocable and can be called autonomously (normal). The skill does not request persistent or system-wide privileges in the manifest and does not modify other skills' configs.
What to consider before installing
This skill appears to do what it says (call ltx.video to generate video), but the manifest is incomplete. Before installing: 1) ask the publisher to declare LTX_API_KEY (or equivalent) and list required binaries (curl, python3, ffmpeg) in the registry metadata so you know what credentials/tools are needed; 2) be aware that using the skill will upload media to external endpoints (uguu.se and ltx.video) — don't upload sensitive content unless you trust those services and accept their privacy/retention policies; 3) verify the API base URL and vendor (there's no homepage provided) and prefer an official vendor URL or public repo; 4) never provide unrelated credentials, and keep your LTX API key scoped and revokable; 5) if you need higher assurance, request source code or an installable package with verifiable provenance. If the publisher can't or won't correct the missing metadata and provenance, treat this skill with caution.Like a lobster shell, security has layers — review code before you run it.
latestvk970r2dfjr3wmekdsq88c9t35x82kvzn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.